CVE-2022-1118 HIGH

CVE-2022-1118: Rockwell Automation ISaGRAF Deserialization of Untrusted Data

Vendor Rockwell Automation
Product Connected Component Workbench
Weakness CWE-502 · Unsafe deserialization
Published May 17, 2022
Last update April 16, 2025

CVSS base score

8.6/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Connected Components Workbench (v13.00.00 and prior), ISaGRAF Workbench (v6.0 though v6.6.9), and Safety Instrumented System Workstation (v1.2 and prior (for Trusted Controllers)) do not limit the objects that can be deserialized. This allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploited

Key dates

02Disclosure timeline

May 17, 2022 CVE published
April 16, 2025 Record updated